Hi, (VM3.8.8 J 39.9.25)
please, in the Extra IPs for IPN check flield how should I separete the PayPal ips?
Like this
173.0.81.65 173.0.81.140 64.4.248.0/22
or
173.0.81.65, 173.0.81.140, 64.4.248.0/22
or
173.0.81.65; 173.0.81.140; 64.4.248.0/22
or...
Thank you
Francesco
Hi, please, can anybody answer?
Today I had a problem with a payment also if I have in Extra IPs for IPN check field this list:
66.211.170.66,173.0.81.1,173.0.81.0/24,173.0.81.33,173.0.81.65,173.0.81.140,64.4.240.0/21,64.4.248.0/22,66.211.168.0/22,173.0.80.0/20,91.243.72.0/23
in paypal.4.log.php I see this error:
---
2021-05-01 09:30:04 DEBUG PaymentNotification, order_number:: Order nr. XYZ
2021-05-01 09:30:04 DEBUG PaymentNotification, virtuemart_paymentmethod_id:: 4
2021-05-01 09:30:04 DEBUG checkPaypalIps $paypal_iplist: Array
(
- => 173.0.88.40
[1] => 173.0.84.40
[2] => 66.211.169.17
[3] => 173.0.88.8
[4] => 173.0.81.65
[5] => 173.0.81.33
[6] => 173.0.81.1
[7] => 66.211.170.66
[8] => 173.0.81.1
[9] => 173.0.81.0/24
[10] => 173.0.81.33
[11] => 173.0.81.65
[12] => 173.0.81.140
[13] => 64.4.240.0/21
[14] => 64.4.248.0/22
[15] => 66.211.168.0/22
[16] => 173.0.80.0/20
[17] => 91.243.72.0/23
)
2021-05-01 09:30:04 DEBUG checkPaypalIps REMOTE ADDRESS: 173.0.81.65
2021-05-01 09:30:04 ERROR validateIpnContent: Convalida IPN non corretta: NO ANSWER FROM PAYPAL
2021-05-01 09:30:04 DEBUG validateIpnContent: valid_ipn:
---
But I have 173.0.81.65 in Extra IPs for IPN check VM PayPal methond field.
Is it wrong to write ips separated by comma as I did?
Thank you
Best regards
Francesco
I guess that the ip range 173.0.81.0/24 expands to 173.0.81.0 - 173.0.81.255. Dividing the input with commas should be correct. I would appreciate other opinions on this, but this are my 2 cents.
Jörgen @ Kreativ Fotografi
Thank you Jörgen, you are very kind.
I add some more details, maybe it helps.
1) The customer paid by credit card.
2) Order was in the pending status.
3) After paying she was redircted to a site page that said "Your order status is pending".
4) In her credit card account detail, it said pending debit.
5) I received an e-mail form my site with this subject: "Error with paypal payment in your shop"
6) The money had already been credited to my paypal account.
Luckily I was on my computer when all this happened, so I quickly fixed the problem changing the order status from pending to confirmed.
My best regards
Francesco
I got a couple of these today as well for the first time.
I wonder if the "Update: Important information about Instant Payments Notification (IPN) (PP-LIVE-31029)" on https://www.paypal-status.com/bulletin/production is relevant:
Update:
This change will now take effect on May 3, 2021. The date in the previous posts has been likewise updated to reflect May 3, 2021.
Mar 11, 16:37 UTC
Update:
This change will now take effect on May 3, 2021.
As a point of clarification, merchants will be receiving IPNs from all the below IP addresses. However, on May 3 2021, the old IP addresses (marked below) will be deprecated and IPNs will only be sent with the new IP addresses (also marked below).
66.211.170.66 (Old)
66.211.170.66 (Old)
173.0.81.1 (Old)
173.0.81.0/24 (Old)
173.0.81.33 (Old)
173.0.81.65 (New)
173.0.81.140 (New)
64.4.240.0/21 (New)
64.4.248.0/22 (New)
66.211.168.0/22 (New)
173.0.80.0/20 (New)
91.243.72.0/23 (New)
Totally relevant .. either add these new ips or switch off
Check IPN provider IP
I assume these will be added in the next release
Thanks for the confirmation ... it did look like a huge red flag :)
I have lists of Paypal servers in:
plugins/vmpayment/paypal/paypal/helpers/paypal.php
templates/<template name>/html/com_virtuemart/vmpayment/paypal/helpers/paypal.php
I plan to update both, but it would be interesting to know what the template file is, if anyone knows ?
Also, there appear to be a large number of possible IPN servers (just under 9000 !), if my calculations are correct:
<?php
// generates 8959 addresses ...
$arr = ipnIPs(array( "66.211.170.66", "173.0.81.1", "173.0.81.33", "173.0.81.65", "173.0.81.140",
"173.0.81.0/24", "64.4.240.0/21", "64.4.248.0/22", "66.211.168.0/22", "173.0.80.0/20", "91.243.72.0/23"));
var_dump($arr);
function ipnIPs($cidrs) {
$range = array();
foreach ($cidrs as $cidr){
if (strpos($cidr, '/') === false)
$range[] = $cidr;
else {
$cidr_arr = explode('/', $cidr);
$start_ip = ip2long($cidr_arr[0]);
$end_ip = $start_ip + pow(2, (32 - (int) $cidr_arr[1])) - 1;
// generates the .0 and .255 addresses, but we don't care :)
for ($i = $start_ip ; $i < $end_ip ; $i++)
$range[] = long2ip($i);
}
}
return $range;
}
?>
I noticed that I can't set "Check IPN Provider IP" to anything other than "Yes" anyway (it resets when I save), so I guess I just check all possible addresses ...
David
I actually hadn't noticed Paypal gives ranges now
e.g. 64.4.240.0/21 (New)
safes fine for me in various installs
Thanks for the heads-up GJC, I need to upgrade my VM but the last time I tried the upgrade failed so I need to set a week or so aside to figure out the problem and get all the testing etc. done ... never enough time.
I should do this anyway, as having updated the IP addresses I no longer get the IPN failure, in fact I get no notifications at all from PayPal, and no errors in the web server logs, the Joomla logs or the VM logs, so this is a significant problem right now. Rolling back the IPN code checks makes no difference either, as I guess the "error contacting IPN servers" is somewhat random based on the IPs that are actually alive at Paypal. I've successfully updated my test site to J3.9.26/VM 3.8.9, and I see none of the new IP Addresses in the paypal.php, which is a bit worrying.
However the "IPN Provider IP" works on the test site so I may do something about this on my live site too (in the database) if it temporarily fixes my problem.
What's the actual effect of disabling the "IPN Provider IP" ? Do I lose any callback data like Paypal fees/status, or is it "only" a security feature to stop payments being spoofed as confirmed ?
David
EDIT: After a long night, I've finished testing the test system, upgraded the live site to J3.9.26/VM 3.8.9 too and everything is working very well with "Check IPN provider IP" enabled. I haven't examined the code where the IPN IP addresses are actually checked so I don't know if that's been fixed or if I'm just lucky so far.
The situation around EKS and IP addresses seems kind of insane to me. Apparently the amount of ENIs / IP addresses / Secondary IP addresses attached to a node depends on the instance size. This results in an instance of the size m5.xlarge to have 2 ENIs with 15 IP addresses each, expecting 28 pods to be running on each node to actually make use of all the IP addresses.
TargetPayandBenefits (https://www.targetpayandbenefits.review/)
Quote from: dmb on May 04, 2021, 21:36:23 PM
What's the actual effect of disabling the "IPN Provider IP" ? Do I lose any callback data like Paypal fees/status, or is it "only" a security feature to stop payments being spoofed as confirmed ?
Very interesting question!
Francesco
Security feature only - I have it disabled for years
If anyone wants to have IPN enabled and the correct Paypal servers you could do as I did and change plugins/vmpayment/paypal/paypal/helpers/paypal.php as below.
This works in J3.10.2/VM3.8.9.
I'd really like to override this core file but I don't know where to put my override (I tried in ./templates/<mytemplate>/html/com_virtuemart/vmpayment/paypal/helpers/paypal.php but that didn't work so it's not right :))
updated checkPaypalIps():
protected function checkPaypalIps ($paypal_data) {
/*
$test_ipn = (array_key_exists('test_ipn', $paypal_data)) ? $paypal_data['test_ipn'] : 0;
if ($test_ipn == 1) {
return true;
}
*/
/*
* adding an extra parameter because getting IP trough gethostbynamel is not a unfortunatly reliable method
*/
if (isset($this->_method->check_ips) and $this->_method->check_ips==0) {
return true;
}
$order_number = $paypal_data['invoice'];
// Get the list of IP addresses for www.paypal.com and notify.paypal.com
if ($this->_method->sandbox) {
$paypalHosts = array('ipn.sandbox.paypal.com','ipnpb.sandbox.paypal.com');
} else {
$paypalHosts = array('ipnpb.paypal.com','notify.paypal.com');
}
$paypal_iplist = array();
foreach($paypalHosts as $host){
$ipList = gethostbynamel($host);
$paypal_iplist = array_merge($paypal_iplist,$ipList);
}
if (isset($this->_method->extra_ips)){
$extraIps = explode(',',$this->_method->extra_ips);
$paypal_iplist = array_merge($paypal_iplist,$extraIps);
}
// add the official Paypal IP addresses
$paypal_iplist = array_merge($paypal_iplist, $this->generateIPNList()); // DMB 20210501
// $this->debugLog($paypal_iplist, 'checkPaypalIps $paypal_iplist', 'debug', false);
$remoteIPAddress = ShopFunctions::getClientIP();
$hostname = gethostbyaddr($remoteIPAddress);
$this->debugLog($remoteIPAddress, 'checkPaypalIps REMOTE ADDRESS', 'debug', false);
// test if the remote IP connected here is a valid IP address
if (!in_array($remoteIPAddress, $paypal_iplist) and !in_array($hostname, $paypalHosts)) {
$text = "(plugins/vmpayment/paypal/paypal/helpers/paypal.php) Error with REMOTE IP ADDRESS = " . $remoteIPAddress . ".\n
The remote address of the script posting to this notify script does not match a valid PayPal IP address\n
These are the valid IP Addresses: " . implode(",", $paypal_iplist) . "The Order ID received was: " . $order_number;
$this->debugLog($text, 'checkPaypalIps', 'error', false);
return false;
}
return true;
}
New generateIPNList() function - note the list of Paypal address ranges from their most recent advisory notice:
/*
* DMB 20210501
*
* generate an array of Paypal IPN servers
*
* From https://www.paypal-status.com/bulletin/production:
*
* As previously communicated, PayPal expanded its IPN infrastructure on May 3. All of the IP addresses listed below will be used for IPN:
*
* 66.211.170.66
* 173.0.81.1
* 173.0.81.0/24
* 173.0.81.33
* 173.0.81.65
* 173.0.81.140
* 64.4.240.0/21
* 64.4.248.0/22
* 66.211.168.0/22
* 173.0.80.0/20
* 91.243.72.0/23
*/
function generateIPNList() {
$cidrs = array( "66.211.170.66", "173.0.81.1", "173.0.81.33", "173.0.81.65", "173.0.81.140",
"173.0.81.0/24", "64.4.240.0/21", "64.4.248.0/22", "66.211.168.0/22", "173.0.80.0/20", "91.243.72.0/23");
$range = array();
foreach ($cidrs as $cidr){
if (strpos($cidr, '/') === false)
$range[] = $cidr;
else {
$cidr_arr = explode('/', $cidr);
$start_ip = ip2long($cidr_arr[0]);
$end_ip = $start_ip + pow(2, (32 - (int) $cidr_arr[1])) - 1;
// generates the .0 and .255 addresses, but we don't care :)
for ($i = $start_ip ; $i < $end_ip ; $i++)
$range[] = long2ip($i);
}
}
return $range;
}
Apologies to the original authors, I based this function on code I found elsewhere and didn't keep a note of the source.
VM did have a fixed IP address function in previous versions of the PayPal Plugins, it was removed as it is not what PayPal suggest in validating IP's
However, it was apparent that a separate additional configuration option might be needed and it was introduced as a new config option in the PayPal payment method settings.
"extra IPs for IPN check "
Have you ever tried using this provided configuration - instead of adding a hard coded set of IP's?
Quote from: AH on September 22, 2021, 11:37:20 AM
However, it was apparent that a separate additional configuration option might be needed and it was introduced as a new config option in the PayPal payment method settings.
"extra IPs for IPN check "
Have you ever tried using this provided configuration - instead of adding a hard coded set of IP's?
Unfortunately it seems like they use whole subnets (https://lookouthost.com/papal-ips-for-instant-payments-notification-ipn/) for IPNs now which is not supported by that config field as it only does an in_array check with the IP and does not support subnets.
http://forum.virtuemart.net/index.php?topic=146573.msg522819#msg522819
doesn't the code from dmb provide all the ranges as individual ips? http://forum.virtuemart.net/index.php?topic=146573.msg525192#msg525192
or just switch it off.. have done for the 40+ sites I manage and no fraud yet ... :P
Quoteor just switch it off.. have done for the 40+ sites I manage and no fraud yet
Me too
We are also getting this error:
2021-12-15 12:07:18 ERROR checkPaypalIps: Error with REMOTE IP ADDRESS = 173.0.81.140.
The remote address of the script posting to this notify script does not match a valid PayPal IP address
These are the valid IP Addresses: 64.4.248.8,173.0.81.33,173.0.81.1,173.0.81.65,The Order ID received was:
2021-12-20 16:56:17 ERROR checkPaypalIps: Error with REMOTE IP ADDRESS = 173.0.81.140.
The remote address of the script posting to this notify script does not match a valid PayPal IP address
These are the valid IP Addresses: 64.4.248.8,173.0.81.65,173.0.81.1,173.0.81.33,The Order ID received was:
I read through this entire thread and am still lost as to what to do about it. Our plug-in doesn't have an option to add IP addresses (that I can see anyway).
Joomla 3.10.4
Virtuemart 3.8.8 10472
VM Payment - PayPal plugin 3.8.8
Can someone post a screenshot of the solution, or step-wise instructions?
You should look int payment options, not in the plugin setup.
Add the ip and all will be fine for now
Jörgen
Hello, thank you all.
So, I should use the extra IP's field to add IP's?
This is because RDNS of paypal is not a reliable source for creating an array of all the IPs?
Quote from: AH on December 17, 2021, 10:09:06 AM
@GJC
Agreed - there will be no fix as far as I can see due to the PayPal ip ranges changing.
Agree totally - I have IP check switched off for years, on all my customer sites - up until now, no problem has occurred .
Linking to this thread for master.
http://forum.virtuemart.net/index.php?topic=147461.msg526512#msg526512